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Abstract. The cost of LTL model checking is highly sensitive to the 
length of the formula under verification. We observe that, under some 
specific conditions, the input LTL formula can be reduced to an easier-to- 
handle one before model checking. In our reduction, these two formulae 
need not to be logically equivalent, but they share the same counterex- 
ample set w.r.t the model. In the case that the model is symbolically 
represented, the condition enabling such reduction can be detected with 
a lightweight effort (e.g., with SAT-solving). In this paper, we tentatively 
name such technique "CounterExample-Preserving REduction" (CePRe, 
for short), and finally the proposed technquie is experimentally evaluated 
by adapting NuSMV. 



1 Introduction 

Linear Temporal Logic (LTL, for short) [11] is one of the most frequently used 
specification languages in model checking (cf. [14]). It designates properties over 
a linear structure, which can be viewed as an execution of the program. The 
task of LTL model checking is to search the state space (explicitly or implicitly), 
with the goal of detecting the existence of feasible traces violating the speci- 
fication. If such traces exist, the model checker will report one of them as a 
"counterexample" ; otherwise, the model checker will give an affirmative report. 

It can be shown that the complexity of LTL model checking M \= ip in in 
£)(|M| X 2l'''l), meanwhile, the nesting depth of temporal operators might be the 
major factor affecting the cost in compiling LTL formulae. 

Hence, it is reasonable to simplify the specification before conducting model 
checking. For example, in [12], Somenzi and Bloem provided a series of rewriting 
schemas for simplifying LTL specifications, and these rewriting schamas preserve 
logical equivalence. 

One may argue that "a majority of LTL formulas used in real applications are 
simple, succinct rather than complicated" , but, we need to notice the following 
facts: 



— Typically, the LTL formula F(pUg) is usually considered as a "simple" one, 
nevertheless, it can be further simplified to Fg', and this fact tends to be 
omitted.^ 

— Indeed, people do use complicate specifications in the real industrial field, 
as well in some standard benchmark (cf. [2]). 

— Last but not least, not all specifications are designated manually. Actually, 
some formulae are generated by specification-gcneraton-tools (e.g., ProSpec) 
Indeed, one may find that lots of these machine-generated specifications can 
be simplified. 

Symbolic model checking [10] is one of the most significant breakthrough in 
model checking, and two major fashions of symbolic model checking are widely 
used: one is the BDD-based manner [6], and the other is SAT-based manner, 
such as bounded model checking [1]. 

Instead of using an explicit representation, the symbolic manner represents 
state space with a series of Boolean formulae. This enables implicit manipulation 
of the verification process and it usually leads to an efficient implementation [3] . 
Meanwhile, such a unified representation of transitions and invariants of the 
model potentially provides heuristic information to simplify the specification. 
For example: 

— The formulae pUg and {r\Jp)'[Jq can be respectively reduced as q and (rUp)V 
q, if we know that p q holds everywhere in the model. 

— Each occurrence of G6 in the specification can be replaced with T (i.e., 
logically true), if we can inductively infer that the Boolean formula 9 holds 
at each reachable state in the model. 

Actually, we can make certain of these conditions with the following efforts. 

— To check whether "p — > q holds everywhere in the model", we may test if 
p ^ g is an invariant in the model — i.e., if p A ^(p — )■ q) is unsatisfiable 
(we in the later denote it as p h p — ^ g), where p is the Boolean encoding of 
the model's transition relation. 

— Likely, to justify that 9 holds at each reachable state, it suffices to ensure 
that 9o\- 9 and p\- 9 ^ 9', where 9o is the initial condition of the model. 

Hence, this provides an opportunity to replace the specification with a simpler 
one, accompanied with some lightweight extra task of condition detection. Even 
if such detection fails, the overhead is usually negligible. 

In this paper, we systematically investigate the above idea, and tentatively 
name this technique CounterExample- Preserving REduction (CePRe , for short). 
Such reduction can be done before starting model checking, and it is an orthogo- 
nal optimization technique to both encoding approaches and model compression 
techniques. 

To justify it, we have extended NuSMV and implement CePRe as an up- 
front option for LTL model checking. Subsequently, we conduct experiments over 

^ On one hand, pVq implies Fq, and hence F(pUg) implies FFg (i.e., Fq); on the 
other hand, q impUes pUg, and hence Fq impUes F(pUg). 
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both industrial benchmarks and randomly generated cases. Experimental results 
show that CePRe can improve the efficiency significantly. 

This paper is organized as follows: Section 2 revisits some basic notions. Sec- 
tion 3 introduces the CePRe technique and gives the performance analysis. In 
Section 4, experimental results over industrial benchmarks as well over random 
generated cases are given. We summarize the whole paper with Section 5. 

2 Preliminaries 

We presuppose a countable set V of atomic propositions, ranging over p, q, pi, 
etc. For each proposition p G V, we create a primed version p' (not belonging 
to V) for it. For each set V C we define V = {p' \ pG V}. We use B(V) to 
denote the set of Boolean formulae over V, similarly, we denote by B(V U V') 
the set of Boolean formulae over V U V. The scope of the prime operator can be 
naturally lifted to Boolean formulae over B(V), by defining 

An assignment is a subset V of P, intuitively, it assigns 1 (or, true) to propo- 
sitions belonging to V, and assigns (or, false) to other propositions. For each 
V CU CP and 9 gB{1(), we denote by V I h 61 if 6i is evaluated to 1 under the 
assignment V. 

A united assignment is a pair (Vi,V2), where both Vi and V2 are subsets 
of V. It assigns 1 to propositions belonging to Vi U V2, and assigns to other 
propositions. Suppose that Vi,V2 U C V and 6 G 'B{U UW), we also write 
(Vi, V2) I h if ^ is evaluated to 1 under the united assignment (Vi, V2). 

LTL formulae can be inductively defined as follows. 

— _L and T are LTL formulae. 

— Each proposition p G P is an LTL formula. 

— If both (fix and ip2 are LTL formulae, so does (pi tp2- 

— If is an LTL formula, then Xy and Y(p are LTL formulae. 

— If ipi and (p2 are LTL formulae, then both (piU<^2 and <^iS<^2 are LTL 
formulae. 

Semantics of an LTL formula is defined w.r.t. a linear structure w e {2^)^ 
(i.e., TT is an infinite word over the alphabet 2^) and a position i ~( uj. Inductively: 

— 'K,i \=T and tt, i ^ _L; 

— 77,1 \= p iS Tr{i) Ih p (where 7r(z) is the i-th letter of tt, which can be viewed 

as an assignment for it is a subset oi V); 

— Tr,i \= ipi ^ (p2 iS either tt, i ^ tpi or tt, i \= ip2', 

— TT, Z 1= X(/7 iff TT, i -|- 1 \=if; 

— Tr,i \= "Yip iff I > and tt, « — 1 |= 

— Tr,i \= tpiUip2 iff there is some j > i, s.t. 7r,j \= (p2 and Tr,k \= (pi for each 
i<k<j; 
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— 7r,i \= ifiiSip2 iff there is some j < i, s.t. tt, j \= (f2 and 7r,k |= ipi for each 
i> k > j. 

For the sake of convenience, we usually directly write tt, |= as tt |= 
As usual, we employ some derived Boolean connectives such as 

—up = 1^— >_L ip\j if) = -,(^ ij) (p A tp = V —'ip) 

and derived temporal operators such as 

= TlJip Zip = -Y^ip Olp ^ TSlp 
Gip = —F-iip Hip = -iQ-ifp 

(^RV' — -'(-'<^U-i'0) ipi'T'ip = -i(-i<^S-iV') 

We say that A and V, F and G, O and H, Y and Z, U and R, T and S are 
pairwise the dual operators. 

Temporal operators like X, U, F, G, R are called future operators, whereas 
Y, Z, S, O, H and T are called past operators. We say an LTL is pure future 
(resp. pure past) if it involves no past (resp. future) operators. 

Theorem 1 ([7]). Each LTL formula has an equivalent pure future expression. 

Thcorcim 1 tells the fact that past operators do not add any expressive power 
to LTL formulae. Nevertheless, with these, we can give a much more succinct 
description in defining specifications. 

Given an LTL formula 95, we denote by sub{ip) the set constituted with 
subformulae of ip. Particularly, we respectively denote by subu{ip) and subs{f) 
the set of t^'s subformulae consisting of "U-subformulae" and "S-subfomulae" . 
An U-formula (resp. S-formula) is a formula rooted at U (resp. S). 

A model is a tuple M = {V,p,6o,J^,C), where 

— V C is a finite set of atomic propositions. 

— p € B(V U V), is the transition relation. 

— Oq € B(V), is the initial condition. 

— T C. B(V), is a set oi fairness constraints. 

— C C B(V) X B(V), is a set of compassion constraints. 

A derived linear structure of M is an infinite word tt e (2^)"^, such that 

1. ^(0) Ih 0o; 

2. (7r(z), 7r(i + 1)) Ih p for each i ^ oj; 

3. for each ip Cz there arc infinitely many i's having 7r(i) Ih ip; 

4. for each {fjtp) S C, if there are infinitely many i's having 7r(i) Ih ip, then 
there are also infinitely many j's such that 7r(j) Ih tjj. 

We denote by L(M) the set of derived linear strctures of M, call it the 

language of M. 

For a model M and an LTL formula (p, we denote as M |= if tt ^ <p for 
each TT e L(M). Meanwhile, we define 

CE((^, M) ^ {tt e L(M) \ n^ip} 

and call it the counterexample set of (p w.r.t. M. 
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3 Counterexample-Preserving Reduction 

We describe the CePRe technique in this section, and we would fix components 
of the model M, and just let it be (V,p, 6'o,^,C). 

For M, we are particularly concerned about formulae; having the same coun- 
terexample set — we say that (p and ijj are inter-reduce- able w.r.t. M if and only 
if CE((p, M) = CE('(/', A'/), denoted as ip "0- Hence, Lp ~m i' implies that 
M 1= ^ ^ M f= -0. 

The central part of CePRe is a series of reduction rules being of the form 

Cond > ip i> (name) 

where "Cond" is called the additional condition. 

Though the relation is, actually symmetric, we always write the formula 
being reduced on the righthand of the ' ~" sign in reduction rules. Since the 
model M is fixed, in this section, we omit it from the subscript. In addition, if 
the additional condition trivially holds, we will discard this part, and directly 
write the rule as (p ^ ip, and we say such a reduction rule "model-independent" ; 
in contrast, we call other rules " model- dependent" . 

3.1 The Reduction Rules 

First of all, we have some elementary reduction rules as depicted in Figure 1. 
For the rules (Init), (Ind) and (Trans), the notation "h" occurring in the 
condition part standards "inferring" relation in propositional logic {p \- 9 iS 
p A -1^ is unsatisfiable), and we here require that 6, 61,62 € B(V). 



6*0 I- 6* > 0«T (Init) p h 6* > « T (Trans) 

00 \- 9; phe^e' > G6I w T (Ind) 
6>eJ" > GF6iwT (Fair) {61,62) €C > (GF6I1 ^- GF6'2) w T (Comp) 



Fig. 1. Elementary reduction rules. 

Subsequently, let us define a partial order "C" over unary temporal operators 
(and their combinations) as follows: 

F C GF C FG C G 
F C X' C G 
O C HO C OH C H 

where XV = 'P and X*+V = X(XV). 
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Assume that P^, e {F, FG, GF, G, O, HO, OH, H} U {X* | z ^ to} and 
pw |- ps have two model-indenpendent rules, as depicted in Figure 2. 

Though these rules seem to be trivial, they are useful in doing combinational 
reductions (see the example given in Section 3.2). 



(P^'c^ A PV) w PV (CONJ) (P^'c^ V PV) » P"'^' (DiSJ) 



Fig. 2. Reduction rules of (CoNj) and (Disj). 



Figure 3 provides some reduction rules that can be used to simplify nested 
temporal operators. Moreover, we may immediately get such a rule's "past ver- 
sion" by switching U and S, R and T, etc. For example, we may obtain the rule 
(OS) (i.e., 0{ipStp) w OV') from (FU) . 



F(<^UV') ^ Fip (FU) ipV{Fip) ~ FtP (Up) 

FFip w Fip (FF) GFG(p w FG<p (GFG) 



Fig. 3. Reduction rules for formulae involving nested pure future operators. 



Meanwhile, we also have the Duality Principle for model-independent rules: 
"by switching each operator with its dual operator, then we may get a new 
reduction rule" . For the rules listed in Figure 3, we may obtain the corresponding 
rules such as (GR), (Rg)) (GG) and (FGF). As an example, the rule (GG) is 
just GG(p w G(p. 



Y(p « _L (Y) 0(/3 « (O) vSip « V (S) 



Fig. 4. Reduction rules for formulae involving (outermost) past operators. 

Since we always stand at the starting point when doing model checking (i.e., 
the goal is to check if tt, |= for each tt e L(M)), hence, we can sometimes 
"erase" the outermost past operators, as shown in Figure 4. Note that we can 
also acquire the rules (Z), (H) and (T) according to the Duality Principle. Just 
beware the exception that the rule (Z) should be Ztp w T. 
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XYip w if (XY) 



FHif w Hip (FH) 



FOi^ rvFipWOif (FO) 



F{ipStp) w FV^ V (^SV' (FS) 



Fig. 5. Reduction rules for formulae involving adjacent past and future operators. 

Figure 5 introduces a series of rules handing formulae involving adjacent past 
and future temporal operators. Remind that the rules (XZ), (GO), (GH) and 
(GT) are also immediately available. 



Prom now on, we let ^i, ^2, • • • range over B(V), and let 1^1, (^2. • ■ • be arbitrary 
LTL formulae. We have some model-dependent rules. The first group of such 
rules are listed in Figure 6. 

In Figure 7, another set of reduction rules are provided, and these rules are 
mainly concerned with LTL formulae involving adjacent U-operators. Note that 
when applying the Duality principle to model dependent rules, besides switching 
the operators, we also need to exchange the antecedent and subsequent in the 
condition part. As an example, we may obtain the reduction rule 

phe3-^02 > (¥'iR6l2)R6'3 ~ 6*3 A (v5iR6'2) (R^[3 2]) 

by applying the Duality Principle to (U^[2 3]). 

Lastly, Figure 8 provides some reduction rules that can be used to simplify 
formulae with mixed usage of U and R. Similarly, dualize operators and inverse 
the additional condition, one may obtain reduction rules for formulae in which 
R appears (adjancently) out of U. 

3.2 Reduction Strategy 

We show the usage of CePRe reduction rules by illustrating the reduction 
process of M ^ (6'iU6i2)U6i3: 

1. We may first try with the rule (U^[l — >■ 3]) by inquiring the SAT-solver if 
p K 6*1 6'3 holds. 



p I- Si V 6*2 > 6»iU6»2 w F6'2 (U) 



p I- 6I2 ^ 6»i V 6I2 > 6I1R6I2 w 6>2 (R) 



Fig. 6. Reduction rules of (U) and (R). 
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pK6'i 


^6l2 


> 


^lU^2 ^ ^2 




(U[l ^ 2]) 


ph6'i 


-^63 


> 


(6liU<p2)U6i3 


a (fi2U03 


(U"[1^3]) 




-^03 


I> 


(¥^lUe2)Ue3 ^ 


S 6I3 V (^lU02) 


(UU[2^3]) 




-^62 


> 


(<piue2)ue3 ? 


a ((pi V 62)^83 


(U"[3^2]) 




^e'3 


> 


(<^iU6'2)U6'3 f= 


» ((^1 V 6l2)U6>3 


(UU[2 ^. 3']) 


ph -.6I2 


-^03 


> 


((^iU6l2)U6i3 f= 


aF6»3 


(UU[-2^.3]) 


ph6>i 


-^02 


> 


6>lU(6l2U933) 


a 02U<^3 


(Uu[1^2]) 


ph^i 


^^3 




eiU(</J2TO3) ^ 


a <^2Ue3 


(Uu[1^3]) 


Ph6»2 


^^1 


> 


0lU(6»2U<P3) ? 


s 6iiU<^3 


(Uu[2^1]) 



Fig. 7. Reduction rules for formulae involving adjacent U operators, 
p h e*! -> 6*3 > (6»iR¥P2)Ue3 ~ ((6»iRv52) V 6*3) A ¥03 (U^ [l -> 3]) 

P h -.^1 ^ ^3 > {0lR'fi2)V03 « ¥'2U6»3 (U^[-l ^ 3]) 

p h 6I1 ^- 6I3 > 6liU((p2R6'3) w <P2R6'3 (Ur[1 ^- 3]) 

Fig. 8. Reduction rules for formulae involving adjacent U and R operators. 

2. If the SAT-solver returns "unsatisfiable" with the input pA^iA^^a, it implies 
that the additional condition is stated, and we may replace the specification 
with 6'2U6'3. 

3. Otherwise, we will try with the next reduction rule, such as (U^[2 —^3]). 

In fact, these rules can also be ^Hocally applied" to subformulae. For example, 
to make a local reduction of (FU), wc may replace each occurrence of F{(pXJtjj) 
in the specification with Ftp. The only exception is for the group of rules listed in 
Figure 4: observe that we have Yip « ± according to (Y), yet this does not imply 
that FY93 « F_L holds. Hence, these rules have an "implicit condition" when 
doing local application: the subformula to be reduced must occur "temporally 
outermost" in the specification — i.e., the target subformula is not in the scope 
of any temporal operators in the specification. 

Compositional use of reduction rules may lead to a more aggressive reduction. 
For example: 
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Input: The original specification ip. 

Output: The specification having been reduced. 

1 let r := 0; /* F memorizes the sub-formulae with infeasible condition*/ 

2 let A := {ip € {sub{ip) \ F) such that V' matches some reduction rule(s)}; 

3 foreach ^i,ip2 G A s.t. ipi ^ ^2 do 

4 if -01 G sub{'ijj2) then 

5 \ A := A \ {ipi}; /* i.e., we only proceed "max" subformulae */ 

6 end 
T end 

8 if Z\ = then 

9 I return ip; 

10 end 

11 foreach tp €: A do 

12 let O := the set of rules that can be applied to -tp; 

13 /* note that we have \0\ < 5 for each ijj */ 

14 while 6> 7^ do 

15 choose R := (Cond > ip rj) in ; 

16 if Cond is stated then 

17 := yjj"; /* is obtained from (p by replacing ip with r] */ 

18 break; 

19 end 

20 0:=e\ {R}; 

21 end 

22 A := AXlip}; 

23 if e = then 

24 \ F := F U {ip} ; /* ip would be excluded in the next iteration */ 

25 end 

26 end 

27 goto 2; 

Algorithm 1: The "max-match" rule-selection strategy. 



1. For the task of model checking M \= FOp, we may firstly change the goal 
as M ^ Fp V Op, according to the rule (FO). 

2. Now, the subformula Op is a temporally outermost one, hence we may take 
a local application of (O), and then the goal becomes M \= Fp\/ p. 

3. Finally, we may change the model checking obligation into M \= Fp via the 
rule (Disj). 

In the real implementation, we may perform a ^^max-match" rule-selection 
strategy, as depicted in Algorithm 1. In Line 15, for a rule "Cond > tp rj" , 

1. the simpler Cond is, and 

2. the shorter r] is, 

the higher priority to be chosen it has. Hence, a model-independent always has 
a higher priority than a model-dependent one. We can see that the reduction 
can be accomplished within 0(|<^|) iterations. 
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3.3 Performance Analysis of the Reduction 

We now try to answer the question "why we can gain a better performance 
during verification if CePRe is conducted first" . To give a rigorous explanation, 
we briefly revisit the implementation of symbolic model checking algorithms. 

The core procedure of BDD-based LTL symbolic model checking algorithm 
is to construct a tableau for the (negated) property. In what followed, we refer 
the tableau of cp as T^, and we would give an analysis on its major components 
affecting the cost of model checking. 

State space: The state space of consists of subsets of el{(fi), and the set 
el{ip) can be inductively computed as follows. 

- e/(T) = eZ(_L) = 0. 

- el{p) = {p} if per. 

- el{(fii -J> (^2) = el{(fi) U el{(p2)- 

- e/(XV') = {X.ip} U el{i;), and el{Yip) = {Yip} U el{ip). 

- el{(pi\Jip2) = eZ((/5i)UeZ(<^2)U{X((^iU</52)} and e/((^iS<y?2) = el{ipi)Uel{ip2)U 
{Y{<p,S<p2)}. 

With symbolic representation, each formula ijj G corresponds to a 

proposition in building the tableau. Moreover, if ■)/) e P, then no new propo- 
sition need to be introduced (since it has already been introduced in building 
the symbolic representation of M), otherwise, a fresh proposition is required. 
Hence the total number of newly introduced propositions equals to \el{(p) \ P|. 
Prom an induction over formula's structure, we have the following claim. 

Proposition 1. \el{ip) \ V\ equals to the number of temporal operators in (p. 

Transitions: The transition relation of is a conjunction of a set of constraints, 
and each constraint is either of the form pxv- ^ (^'W or p'-y,^ ^ '^(77), where 
X.'tjj,Yr] e el{ip), and the function a can inductively defined as follows. 

- cr(_L) = _L and C7(T) = T. 

- a{p) = p for each p G V. 

- a{ipi -)> 1P2) = <j{i>i) cr('02)- 

- aiXt/ji) = pxv-i and (t(YV'2) = Pyv^s- 

- cr(V'iUV'2) = (T{tp2) V a{tlJi) Apx(V'iUV2) and <t(V'iS'^2) = (^(^'2) V a{tp) A 

According to the definition of el, we can see that each ijj e sub{(p) rooted at a 
future (reps, past) temporal operator exactly produces one formula X?7 (resp. 
Yri) in el{ip), and hence a new proposition pxr; (resp. Pyt]) would be introduced. 
Subsequently, each such pxr; (reps. Pyt)) adds exactly one constraint to the 
transition relation. Hence, we have the following claim. 

Proposition 2. The number of constraints in the transition relation ofT^ equals 
to the number of temporal operators occurring in (alternatively, \el{ip) \ 'P\). 
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Fairness constraints: According to the tableau construction, each tjj € subu{ip) 
would impose a fairness constraint to T^. Hence, the number of fairness con- 
straints equals to \subxj{(fi)\. 

With a case-by-case checking, we can show the following theorem. 

Theorem 2. Let "Cond l> (f !v tp " be a reduction rule, then we have \el{t{j)\P\ < 
\el{(p) \ V\ and \subv{il))\ < \subv{(fi)\. 

In contrast, the cost of BMC is quite sensitive to the encoding approach. In 
a broad sense, we can categorize the encoding approaches into two fashions. 

Syntactic encoding Such kind of encodings are inductively produced w.r.t. 
the formula's structure. The very original one is presented in [1], and this 
is improved in [4] by observing some properties of that encoding. In [9] (as 
well in [2]), a linear incremental syntactic encoding is suggested. 

Semantic encoding In [5] , an alternative BMC technique is provided: it mim- 
ics the tableau-based model checking process, but it express the fair-path 
detection upon the product model with Boolean formula.^ 

For the semantic encodings, the reason that we can benefit from CePRe is 
exactly the same as that for BDD-based approach. Because, the encoding is a 
conjunction of a k-step unrolling of M and a fc-step unrolling of (an unrolling 
is either a partial linear structure, or a one ending with a loop). The former 
is usually in a fixed pattern, and for the latter we need k x \el{ip) \ V\ new 
propositions, and the sizes of Boolean formulae w.r.t the transition and fairness 
constraints^ are respectively 0{k x \el{(p) \ P\) and C(fc^ x \sub\j{(p)\). 

For a syntactic BMC encoding, one need to generate a Boolean formula of 
the form A E*^, where is the "unrolling" of M with k steps, and E'l^^ 
describes that the fc-stcp vmroUing causes a violation of (p. In general, is 
almost the same in all syntactic encodings, and the key factor affecting the cost 
lies in E^^. 

Given a subformula tjj of Lp, if we use \\E'^\\ to denote the max length of the 
Boolean formula describing that -0 is initially satisfied upon a A;-step unrolling, 
then it can be inductively computed as follows. 

- WE'iw = WE'^W = 0. 4 

- IISJII = 1 for each per. 

- ||4^|| = ||i;^^|| = ||i;^||. 

- iKu^JI = lKs^2ll = m X \\E^^,\\ + kx \\e!;j\. 5 

^ In [8], a "fixpoint" -based encoding is proposed, and we also attribute this technique 

to semantic encoding in this paper. 
^ Note that the part w.r.t. fairness constraints can be Unearized. 

* This is just for the case when _L or T appears as a subformula in the specification, 
and hence can be optimized; otherwise, we have || -Bill = II-EtII = 1- 

^ Note that this case does not imply that further blow-up would be caused with 
deeper nesting of temporal operators. For example, in [9], by introducing sharing 
propositions and reusing, it still leads to a linear encoding for the whole formula. 
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Here, L{k) is some polynomial about k, related to the encoding approach. For 
example, with the technique proposed in [1,8], we have L{k) € 0{k'^), whereas 
L{k) e 0{k) in [9]. This partly explains the reason that we tend to change 
temporal nestifications with Boolean combinations, as done in (U^[3 2]) etc. 

Another feature affecting the cost is the number of propositions occurring in 
the encoding. If we denote by vari;{(p) the set of additional propositions which 
only taking part in the encoding of E'^^, then we have the following conclusions. 

— For the techniques proposed in [1] and [4], we have vark{(p) = 0. i.o.w., all 
propositions required in encoding Et,(f can be shared with those for E^. 

— In term of the encoding presented in [9], wc need to add 0{k) new proposi- 
tions to vark{(p) for each U-subformula and for each S-subformula. 

Theorem 3. Let "Cond > ip k, ip" he a reduction rule, then we have \ \E^\\ < 
ll-E^II and \vark{'il})\ < \vark{ip)\ in syntactic encodings. 

4 Experimental Results 

We have integrated CePRe as an upfront option in NuSMV. ^ We have con- 
ducted experiments upon both industrial benchmarks and random generated 
cases in terms of both BDD-based and bounded model checking (and the BMC 
encoding approach here we adapt is that proposed in [4], which is the current 
implementation of NuSMV). 

Wc conduct the experiments under such platform: CPU - Intel Core Duo2 
E4500 2.2GHz, Mem - 2G Bytes, OS - Ubuntu 10.04 Linux, Cudd -v2.4.1.1, 
Zchaff-v2007.3.12. 

4.1 Experiments upon Industrial Benchmeirks 

The benchmark we choose in this paper is from [2] , and most of them come from 
real hardware verification. 

Table 1 provides experimental results for BDD-based LTL symbolic model 
checking. The field #Time is the summation of user time and system time, and 
the field #R.S. refers to the number of totally reachable states. For Table 1, we 
have the following remarks: 

1. 8 out of 16 specifications could be reduced with CePRe (and these specifi- 
cations have been highlighted). 

2. For the specifications that can be reduced, considerable improvements are 
made in allocating resources. The most significant case is Pit.g.ltl — with 
CePRe, the number of BDD nodes are decreased to 12.5% of that without 
using CePRe. 

^ The tool is available in http://sourceforge.net/projects/nusmvwithcepre, and 
all SMV manuscripts for experiments can be found in the folder of /files/benchmark 
and /files/random from that site. 
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Table 1. Comparative results of BDD-based MC with/without CePRe. 



3. Something noteworthy we do not provide in the table is that: if a violated 
LTL specification can be reduced, the newly generated counterexample is 
usually shorter than that of before. Among 8 specifications that can be re- 
duced, counterexample-lengths of Pti.nuv.ltl, Pit. g. Itl, PO.Itl and Seq.ltl are 
respectively shortened to 15, 10 and 194, opposing to the original values 
16, 12 and 217. Meanwhile, counterexample-lengths of others are kept un- 
changed. 

Table 2 yields the experimental results for BMC-based model checking, and 
we here give some comments on that. 

1. With NuSMV, one need to preset a max-bound when doing bounded model 
checking. The column #Max-bound gives such values — a "star mark" 
means that this bound does not reach the completeness threshold. The field 
#N.O.C. designates the number of clauses generated during model checking. 

2. Prom the table, we can see that without CePRe the specification Pti.gnv.ltl 
gcnciratcs 2101 clauses when a counterexample is detected, in contrast, it 
only produces 299 clauses if CePRe is switched on. 

3. Another impressive comparison is for PO.Itl upon dmeS: If we don't do any 
reduction, the SAT-solvcr reports a SEGMENTATION FAULT at Step 35. 
In contrast, using CePRe, a counterexample could be found at Step 62. 

4. Since the encoding approach we adapt is taken from [4], propositions used 
in the encoding arc only determined by the model and the bound, thus 
the number of required propositions does not change. For this reason, the 
corresponding experimental results on proposition numbers are not provided. 
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Table 2. Experimental results of BMC-based MC with/without CePRe. 



It should be pointed that both model-independent and model-dependent rules 
contribute to the reductions. For example, for the model srg5 and specification 
Pti.g.ltl, the rules (FS) and (S) are applied; meanwhile, for the model msi_wtrans 
and the specification Seq.ltl, the rule (U^[^2 — > 3]) takes part in the reduction. 

4.2 Experiments w.r.t. Random Models and Specifications 

We have also performed experiments upon randomly generated models and spec- 
ifications with the tool Lett [13] and with the methodology suggested in [2]. 




234567S 2345678 2345678 

Lfnglh of spec. Length of spec. Length of spec. 



Fig. 9. Experimental results on BDD-based model checking for random cases. 
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Fig. 10. Experimental results on bounded model checking for random cases. 

For each 3 < ^ < 7, we randomly generate 40 specifications having length £. 
Subsequently, for each specification, we generate two models respectively for the 
BDD-based model checking and for BMC. Hence, we totally have 200 specifica- 
tions and 400 models. 

For the BDD-based model checking, we give the comparative results on 1) 
the scale of BDD-nodes, 2) the number of reachable-states, and 3) the time 
consumed, as shown in Figure 9. For BMC, we have set the max-bound to 20 
and we have compared 1) the number of clauses, and 2) the executing time, 
as shown in Figure 10. Each value here we provide is the average of the 40 
executions. 

For the BDD-based model checking, there are 123 (out of 200) specifications 
can be reduced; whereas for BMC, the number of specifications that can be 
reduced is 118. 

5 Concluding Remarks 

In this paper, we present a new technique to reduce LTL specifications' com- 
plexity towards symbolic model checking, namely, CePRe. The novelty in this 
technique is that the formula being reduced need not to be logically equiva- 
lent with the one after reduction, but just need to preserve the counterexample 
set. Moreover, the condition enabling such a reduction can be usually detected 
with lightweight approaches, such as SAT-solving. Hence, this technique could 
leverage the power of SAT-solvers. 

The central part of CePRe is a set of reduction rules, and soundness of 
these reduction rules are fairly easy to check. For the model dependent rules, 
additional conditions mainly concern invariants and transitions only, and we do 
not make a sufficient use of other features, such as fairness. In this paper, we just 
consider combinations of two temporal operators as many as possible, indeed, 
there might be other possible reduction schemas we are not aware. Indeed, in 
this paper, we tentatively to provide such a framework, and one can extend it 
to model checking of other logics. 
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From the experimental results, we can see that, in a statistical perspective, 
we can gain a better performance and lower overhead with CePRe. 
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